mac80211: fix multicast LED blinking and counter

As multicast-frames can't be fragmented, "dot11MulticastReceivedFrameCount"
stopped being incremented after the use-after-free fix. Furthermore, the
RX-LED will be triggered by every multicast frame (which wouldn't happen
before) which wouldn't allow the LED to rest at all.

Fixes https://bugzilla.kernel.org/show_bug.cgi?id=89431 which also had the
patch.

Cc: stable@vger.kernel.org
Fixes: b8fff407a180 ("mac80211: fix use-after-free in defragmentation")
Signed-off-by: Andreas Müller <goo@stapelspeicher.org>
[rewrite commit message]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

1 files changed, 6 insertions, 5 deletions

diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 49c23bdf08bb..683b10f46505 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1761,14 +1761,14 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
         sc = le16_to_cpu(hdr->seq_ctrl);
         frag = sc & IEEE80211_SCTL_FRAG;
 
-        if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
-                goto out;
-
         if (is_multicast_ether_addr(hdr->addr1)) {
                 rx->local->dot11MulticastReceivedFrameCount++;
-                goto out;
+                goto out_no_led;
         }
 
+        if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
+                goto out;
+
         I802_DEBUG_INC(rx->local->rx_handlers_fragments);
 
         if (skb_linearize(rx->skb))
@@ -1859,9 +1859,10 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
         status->rx_flags |= IEEE80211_RX_FRAGMENTED;
 
  out:
+        ieee80211_led_rx(rx->local);
+ out_no_led:
         if (rx->sta)
                 rx->sta->rx_packets++;
-        ieee80211_led_rx(rx->local);
         return RX_CONTINUE;
 }